Using a multi-network dataset to overcome anomaly detection cold starts

1. A method comprising: receiving, at a network assurance service, a first set of telemetry data captured in a first network monitored by the network assurance service; computing, by the network assurance service and for each of a plurality of other networks monitored by the network assurance service, a similarity score between the first set of telemetry data and a set of telemetry data captured in that other network, wherein computing includes: forming a set of labeled telemetry data by labeling the telemetry data in the first set of telemetry data with a first binary label and the telemetry data in the set of telemetry data captured in the other network with a second binary label; applying a binary discriminant classifier to the set of labeled telemetry data, and computing the similarity score between the first set of telemetry data and the set of telemetry data from the other network based on an accuracy of the binary discriminant classifier applied to the set of labeled telemetry data; selecting, by the network assurance service, a machine learning-based anomaly detector trained using a particular one of the sets of telemetry data captured in one of the plurality of other networks, based on the computed similarity score between the first set of telemetry data and the particular set of telemetry data captured in one of the plurality of other networks; and using, by the network assurance service, the selected anomaly detector to assess telemetry data from the first network, until the network assurance service has received a threshold amount of telemetry data for the first network.

2. The method as in claim 1 , further comprising: providing, by the network assurance service and to a user interface associated with the first network, an indication that the service is in a cold start mode, based on the service using the selected anomaly detector to assess telemetry data from the first network.

3. The method as in claim 1 , further comprising: computing, by the network assurance service, a cost function associated with using the selected anomaly detector to assess telemetry data from the first network, wherein the cost function is based on one or more of: a rate of network anomalies in the first network detected by the anomaly detector, an average spread of the detected anomalies, or an average margin for the detected anomalies.

4. The method as in claim 3 , further comprising: training, by the network assurance service, the anomaly detector over time using telemetry data from both the first network and the other network; and determining, by the network assurance service, that the network assurance service has received the threshold amount of telemetry data for the first network based on the cost function associated with the anomaly detector.

5. The method as in claim 1 , further comprising: receiving, at the network assurance service and via a user interface associated with the first network, relevancy feedback regarding one or more network anomalies in the first network detected by the anomaly detector; and suspending, by the network assurance service, use of the selected anomaly detector to assess telemetry data from the first network, based on the relevancy feedback.

6. The method as in claim 1 , wherein the machine learning-based anomaly detector comprises a machine learning model trained using unsupervised machine learning.

7. The method as in claim 1 , wherein the anomaly detector is configured to detect wireless onboarding anomalies or network throughput anomalies.

8. An apparatus, comprising: one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed configured to: receive a first set of telemetry data captured in a first network monitored by the apparatus; compute, for each of a plurality of other networks monitored by the apparatus, a similarity score between the first set of telemetry data and a set of telemetry data captured in that other network, wherein computing includes: forming a set of labeled telemetry data by labeling the telemetry data in the first set of telemetry data with a first binary label and the telemetry data in the set of telemetry data captured in the other network with a second binary label; applying a binary discriminant classifier to the set of labeled telemetry data, and computing the similarity score between the first set of telemetry data and the set of telemetry data from the other network based on an accuracy of the binary discriminant classifier applied to the set of labeled telemetry data; select a machine learning-based anomaly detector trained using a particular one of the sets of telemetry data captured in one of the plurality of other networks, based on the computed similarity score between the first set of telemetry data and the particular set of telemetry data captured in one of the plurality of other networks; and use the selected anomaly detector to assess telemetry data from the first network, until the apparatus has received a threshold amount of telemetry data for the first network.

9. The apparatus as in claim 8 , wherein the process when executed is further configured to: provide, to a user interface associated with the first network, an indication that the apparatus is in a cold start mode, based on the apparatus using the selected anomaly detector to assess telemetry data from the first network.

10. The apparatus as in claim 8 , wherein the process when executed is further configured to: compute a cost function associated with using the selected anomaly detector to assess telemetry data from the first network, wherein the cost function is based on one or more of: a rate of network anomalies in the first network detected by the anomaly detector, an average spread of the detected anomalies, or an average margin for the detected anomalies.

11. The apparatus as in claim 10 , wherein the process when executed is further configured to: train the anomaly detector over time using telemetry data from both the first network and the other network; and determine that the apparatus has received the threshold amount of telemetry data for the first network based on the cost function associated with the anomaly detector.

12. The apparatus as in claim 8 , wherein the process when executed is further configured to: receive, via a user interface associated with the first network, relevancy feedback regarding one or more network anomalies in the first network detected by the anomaly detector; and suspend use of the selected anomaly detector to assess telemetry data from the first network, based on the relevancy feedback.

13. The apparatus as in claim 8 , wherein the machine learning-based anomaly detector comprises a machine learning model trained using unsupervised machine learning.

14. The apparatus as in claim 8 , wherein the anomaly detector is configured to detect wireless onboarding anomalies or network throughput anomalies.

15. A tangible, non-transitory, computer-readable medium storing program instructions that cause a network assurance service that monitors a plurality of networks to execute a process comprising: receiving, at the network assurance service, a first set of telemetry data captured in a first network monitored by the network assurance service; computing, by the network assurance service and for each of a plurality of other networks monitored by the network assurance service, a similarity score between the first set of telemetry data and a set of telemetry data captured in that other network, wherein computing includes: forming a set of labeled telemetry data by labeling the telemetry data in the first set of telemetry data with a first binary label and the telemetry data in the set of telemetry data captured in the other network with a second binary label; applying a binary discriminant classifier to the set of labeled telemetry data, and computing the similarity score between the first set of telemetry data and the set of telemetry data from the other network based on an accuracy of the binary discriminant classifier applied to the set of labeled telemetry data; selecting, by the network assurance service, a machine learning-based anomaly detector trained using a particular one of the sets of telemetry data captured in one of the plurality of other networks, based on the computed similarity score between the first set of telemetry data and the particular set of telemetry data captured in one of the plurality of other networks; and using, by the network assurance service, the selected anomaly detector to assess telemetry data from the first network, until the network assurance service has received a threshold amount of telemetry data for the first network.

16. The computer-readable medium as in claim 15 , wherein the process further comprises: providing, by the network assurance service and to a user interface associated with the first network, an indication that the service is in a cold start mode, based on the service using the selected anomaly detector to assess telemetry data from the first network.

17. The computer-readable medium as in claim 15 , wherein the process further comprises: computing, by the network assurance service, a cost function associated with using the selected anomaly detector to assess telemetry data from the first network, wherein the cost function is based on one or more of: a rate of network anomalies in the first network detected by the anomaly detector, an average spread of the detected anomalies, or an average margin for the detected anomalies.